Basic outline: A third party processor/gateway transmits encrypted data on behalf of a client without being affiliated to merchant, merchant bank or cardholder's bank. I.e.: We are looking at this service as a product/black box approach that simply offers data transmission to one or mor eclients.

The encrypted transmission segment has to be compliant because it handles/transmits credit card data.

Questions reaised:
- How to best go about third party compliance while engaged with your client --> I.e. how to make it as painless and efficient as possible
- Given that the gateway/processor segment or service does not touch upon all the PCI requirements in the scope of their service, how should one best go about ensuring their compliance and manage limiting the scope, if at all?

Thoughts?

Axel, I'm curious if the third-party processor is both accepting and transmitting or just transmitting on behalf of the merchant. You said they are not affiliated with the merchant so I'm not certain how they obtain and process transactions for them.

If a third-party is both accepting and transmitting transactions on behalf of the merchant, then the merchant does not need to be PCI compliant as they never touch credit card data. If the third-party is using their own merchant ID there is nothing for the merchant to do. If the third-party is using the merchant's merchant ID then the merchant will need to validate the third-party is PCI compliant and maintain contracts stating such.

If a third-party (gateway/processor) is only transmitting the credit card data on behalf of the merchant, the merchant must validate that the third-party is PCI compliant with the requirements that apply to them. If the third-party accepts credit cards on behalf of the merchant then all of the PCI requirements will apply to them.

If a third-party is a gateway or processor they need to be fully PCI compliant. This means meeting all of the PCI DSS requirements. Limiting the scope is secondary to them needing to fully comply with the standard.